海角大神

With just three days left to comment on a controversial plan to聽stymie US exports of surveillance technology, many聽cybersecurity professionals are making their final pleas to kill the proposed trade restrictions.聽

While many in the security community agree in spirit with the plan from the聽Department of Commerce鈥檚 Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.

"Cyber is a space that is borderless and global. The rule needs to be re-looked at given the global interconnectedness of the industry," says Cheri McGuire, vice president of government affairs and security policy at the security firm聽Symantec.

Rather than restrict the export of spyware technology, the current proposal restricts the export of information about malicious software, the command platforms to control it, and the tools to make it.

Many experts say the聽Commerce Department proposal is written in such a way that it聽would prevent even transporting critical security software for testing global networks and would limit research between security labs in different countries. The department also warned that applications for a license to export technology that could be used for surveillance would be met with a presumption of denial, making it difficult for firms to get permission to do legitimate cybersecurity business overseas.聽

The proposal is "well-intentioned, but has unintended consequences that must be addressed," said聽Eric Wenger, director of cybersecurity and privacy policy at Cisco, the world's largest maker of networking equipment.聽

But if the policymakers at the Commerce Department go back to the drawing board, it's unclear what a replacement proposal would look like 鈥� and whether the security industry would like it any better.

The trade proposal resulted from the聽41-nation Wassenaar Arrangement was originally intended to limit the sale of conventional weapons聽and expanded in 2013 to include restrictions on malware sales. Europe has already implemented聽the new limitations.

Instead of coming up with a new draft, the聽Electronic Frontier Foundation's Nate Cardozo says he wants the US to reopen the initial discussions that led to the software restrictions with the聽Wassenaar negotiators. That way, says the EFF staff attorney, the agreement could focus on actual spyware and surveillance products instead of the components that make or control those technologies. 聽

"What are they actually trying to control? Are they trying to control [the notorious spyware] FinFisher?" asks Mr. Cardozo, who recently filed a lawsuit against聽Ethiopia over its use of FinFisher, a maker of surveillance technology. "Why don鈥檛 they go after export of that kind of software directly?"

The idea of banning software that exfiltrates 聽鈥� or steals 鈥� data without the users' knowledge is often聽cited as the utopian fix for the trade proposal.聽Sergey Bratus, a Dartmouth College computer science associate professor, originally suggested it in 2014 when the聽Bureau of Industry and Security first asked for comments on how it should impose the Wassenaar deal.

Cardozo says that comments he will submit Monday will urge the Department of Commerce to ease existing restrictions on exporting encryption technology alongside any rule to fight militarized spyware. Cardozo believes encryption would be a more successful measure to protect targets of repressive government surveillance.

"When I submit my comments about Wassenaar to the [Bureau of Industry and Security]聽on Monday,鈥� he says, 鈥渢he first point I will make is that if you think that this is a good idea, you have to remove cryptography from other export restrictions."

Restricting only exfiltration would assuage many concerns in the international community, says Ms.聽McGuire of聽Symantec, a聽founding members of the Coalition for Responsible Cybersecurity that launched this week as a show of force against the BIS draft policy. Focusing on exfiltration, she says,聽reassures foreign governments that the US isn't withholding cybersecurity tools for its own gain.聽

But barring a complete renegotiation of the rule, McGuire says adding exemptions to BIS regulations for defensive cybersecurity products or research would聽appease many within the industry.聽

McGuire says that approach would have been taken by BIS if it had consulted the聽cybersecurity industry as a whole, such as the National Institute of Standards and Technology did in preparation for recently released security best practices.

"Look at the NIST framework. It certainly went through a very lengthy process to ensure there were no consequences," she says.

Dave Aitel, chief technology officer at the security company Immunity inc.,聽suggests the BIS remove the presumption of denial, and only mandate licenses for sales to hostile governments.聽But he isn鈥檛 convinced that any regulations, no matter how restrictive, would make much of an impact.

The recent data breach at Italian spyware seller Hacking Team proves his point, he says. It shows that Italy was聽willing to issue a 鈥済lobal license鈥� to the company to distribute its surveillance software nearly anywhere, he says. If companies such as Hacking Team cannot be controlled by the regulations, how could they be at all successful, asks Mr. Aitel.

Though Aitel says the rules would not have much聽effect, he says modifying the proposal to something less 鈥渙nerous鈥� would be the end of a long struggle.

"I did not want my life to be consumed by Wassenaar for the past two years," he said. 鈥淏ut here we are. It鈥檚 an awfully important government process to have begun in such a broken way."